Re: undetermined or postponed for freeimage?
On Thu, Apr 11, 2024 at 10:23:13PM +0200, Ola Lundqvist wrote:
> Hi fellow LTS contributors
>
> I hope you do not mind me asking but there is one thing that I would
> like to check.
>
> When I look at this CVE that was previously postponed:
> https://security-tracker.debian.org/tracker/CVE-2019-12214
>
> The information tells that the vulnerability my in fact not be in
> freeimage at all.
> For this I think "undetermined" tag is typically used instead of postponed.
> Should I change?
>
I would recommend against changing it. *We* think that it may not be an
issue in freeimage, but that is based on Hugo's speculation. I don't
think "undetermined" is meant to be used in this case.
> I guess so, but since I'm not sure if it has any other implications I
> want to check first.
>
> We will clearly not be able to fix it in any case because we do not
> have enough information to tell what the problem was in the first
> place.
>
> While I'm at it I'm removing postponed tag for a few CVEs now, because
> they are postponed until patches are available and now patches are
> available in fedora.
>
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: